Deploying WebGoat using Ansible

Intro

WebGoat and WebWolf are great tools to learn about the OWASP top 10 security issues in web applications.

These tools can be installed in many ways. Natively running as local single jar applications on a Java Runtime, or as a local docker image, or as a docker image managed in Kubernetes, or in a Kubernetes cloud environment.

The section here discusses how to install WebGoat and WebWolf using Ansible. With Ansible you can install the apps on your local operating system or on specific servers that you want to manage.

Pre-requisite

You want to install WebGoat on MacOS or Linux (Ubuntu/CentOS/RHEL) and have Ansible installed.

Install the zubcevic.webgoat role from the Ansible Galaxy community roles:

ansible-galaxy install zubcevic.webgoat_ansible_role

The role and the documentation can be viewed on Ansible Galaxy or GitHub.

Local native install on a MacOS

This section explains how WebGoat can be installed on the same machine where Ansible is installed.

For a native installation of WebGoat, you can use the following playbook:

- hosts: localhost
  roles:
     - role: zubcevic.webgoat_ansible_role

In this case it is required to have a Java 11 runtime environment on the classpath in order to run the application.

Using the following playbook an embedded Java 11 JRE is installed as well and used for starting WebGoat.

- hosts: localhost
  roles:
     - role: zubcevic.webgoat_ansible_role
       webgoat_downloadlocaljre: "yes"
       webgoat_jre_url: "https://github.com/AdoptOpenJDK/openjdk11-binaries/releases/download/jdk-11.0.7%2B10/OpenJDK11U-jre_x64_mac_hotspot_11.0.7_10.tar.gz"

In order to execute this playbook use the following Ansible playbook command:

ansible-playbook -c local localwebgoat.yml

After running this, there is a directory webgoat which contains the JRE, the WebGoat jar files and stop and start scripts plus the log files of the running applications which can be accessed on the URL’s http://127.0.0.1:8080/WebGoat and http://127.0.0.1:9090/WebWolf

Local docker install on MacOS

You can also choose not to depend on Java, but to run the same application as docker images. In order to do so, the pre-requisite is that docker is installed. (You could search Ansible for ways to installed docker using Ansible, but that is out of scope for the zubcevic.webgoat_ansible_role.

The playbook then looks like:

- hosts: localhost
  roles:
     - role: zubcevic.webgoat_ansible_role
       webgoat_installtype: "docker"

In order to execute this playbook use the following Ansible playbook command:

ansible-playbook -c local localwebgoat.yml

After running this, you will see a container with the name webgoat and image webgoat/goatandwolf and the applications can be accessed on: http://127.0.0.1:8080/WebGoat and http://127.0.0.1:9090/WebWolf

Local native install on Raspberry Pi 4

The Raspberry Pi can also run WebGoat on Java. You need to supply a Java JRE 11 for the ARMv7 based CPU architecture.

A sample Ansible inventory file looks like:

all:
  children:
    webgoat:
      hosts:
        192.168.0.113:
      vars:
        ansible_user: pi

A sample Ansible playbook would look like:

---
- hosts: webgoat
  roles:
    - role: zubcevic.webgoat_ansible_role
      webgoat_jre_url: "https://github.com/AdoptOpenJDK/openjdk11-binaries/releases/download/jdk-11.0.7%2B10/OpenJDK11U-jre_arm_linux_hotspot_11.0.7_10.tar.gz"
      webgoat_downloadlocaljre: "yes"

As you can see an arm_linux_hotspot JRE is chosen.

In order to execute this playbook use the following Ansible playbook command:

ansible-playbook -i inventory_pi pi.yml